In this article, David Alizade (Lexing New Zealand) examines the new Biometric Processing Privacy Code in New Zealand, which creates specific privacy rules for businesses and organisations collecting, using and processing biometric information.
The use nowadays of biometric technology by New Zealand businesses is rapidly transforming key areas of their operations – such as customer verification, workplace access and payment security – by enhancing efficiency, authentication and security. Many businesses use biometric information, such as physical and behavioural traits like facial recognition, fingerprints, keystroke and voice patterns to verify identity, control access, and track engagement. Other examples already seen in New Zealand include workplace fingerprint scanning for secure areas and the Foodstuffs North Island trial of facial recognition technology to address retail crime.
While biometrics offer convenience, they clearly also raise concerns about surveillance, profiling, and bias – involving uniquely sensitive information. Biometric information is deeply personal and irreplaceable. Unlike passwords or credit cards, it cannot be changed if compromised. In the view of the Privacy Commissioner, these risks have created a need for stronger legal protections.
To address these risks, the Privacy Commissioner has issued the Biometric Processing Privacy Code: (1) which is a legally enforceable code under the Privacy Act 2020. (2) The Code came into force on 3 November 2025 for biometric processing that begins on or after that date, and will take effect on 3 August 2026 for biometric processing that was already underway before 3 November 2025. It applies to all agencies (including businesses) collecting, using, storing, handling, processing and disclosing biometric information.
The Code introduces stricter and more specific obligations than the Privacy Act because biometric information is especially sensitive and high risk. Existing privacy principles will be adapted and added to by the Code, impacting agencies (including businesses) that handle biometric information. These are explained below.
What the Code requires
The Code imposes safeguards focussed on necessity, transparency, and privacy:
Necessity: Proportionality test and risk assessments
Before collecting biometric information, businesses need to demonstrate necessity through a proportionality test by:
- showing the processing is lawful, effective, and that no less privacy-intrusive alternative is reasonably available;
- assessing privacy risks, weighing them against expected benefits (public, individual and private), and considering cultural impacts on Māori;
- using a trial period if effectiveness cannot be confirmed in advance;
- putting in place safeguards like consent, opt-outs, strong security, and collecting identifying details only if necessary.
The Code makes clear that proportionality means agencies must weigh privacy risks against the benefits, considering public, individual, and private benefits. Risks include over-collection, bias, chilling effects, scope creep, and surveillance. Agencies must also adopt and implement reasonable privacy safeguards before collecting biometric information, and only collect identifying details if strictly required. If the lawful purpose for which biometric information is collected does not require identifying details, they must not be collected.
Transparency: Stronger notification and transparency rules
Businesses need to notify individuals before collecting biometric information, explaining:
- why it is being collected and how it will be used;
- whether alternatives like PINs or passwords exist;
- the retention period and access or deletion options;
- how to file complaints and where to access proportionality assessments.
The Code also requires clear and conspicuous communication, including the name and address of the agency collecting and holding the information, the intended recipients, and the legal authority (if any) for collection. In practice, this means individuals should be able to easily see that biometric technology is in use, for example through clear signage at entry points or points of capture. Individuals must also be told of their rights to complain to the Privacy Commissioner, and whether the information will be used in a trial.
Safeguards: Limits on biometric use
The Code also bans certain high risk biometric uses, including:
- emotion analysis to infer mental state, health, or intentions;
- biometric profiling, except in consumer devices like fitness trackers or for limited permitted purposes such as age categorisation, accessibility support, safety threats, or authorised health uses;
- using biometric information to infer protected personal characteristics like race, ethnicity, or other grounds prohibited under the Human Rights Act 1993.(3)
In addition, biometric information collected for one purpose cannot be repurposed for another unless there is a strong connection, clear authorisation, or the information is anonymised or for approved research. Use for statistical or research purposes is permitted if the information is anonymised and subject to appropriate ethical oversight.
Other important features of the Code
Individuals have rights to access and request correction of their biometric information, and agencies must ensure accuracy before use or disclosure.
Information must be stored securely and not retained longer than necessary.
Disclosure to third parties, including overseas, is tightly restricted – agencies must believe on reasonable grounds that the recipient offers comparable safeguards to those under the Privacy Act and Code, or obtain the individual’s informed authorisation.
Unique identifiers (like biometric templates) can only be assigned where necessary and must be safeguarded against misuse.
The Code applies to automated biometric processing but excludes manual collection, biological material, and brain activity. The Code does not apply to biometric processing by a health agency where the information is “health information” (as defined in the Health Information Privacy Code 2020). (4)
Businesses do not have to disclose risk assessments or notify the Privacy Commissioner when they complete one. However, non-compliance with the Code may result in complaints, investigations, penalties, or lawsuits. Law enforcement can access biometric information under permitted exceptions without notification.
Although the Code does not ban web scraping, businesses collecting biometric information from public sources must ensure that any collection is fair and does not unreasonably intrude into individuals’ personal affairs.
Compliance
For New Zealand businesses, the Code works in conjunction with (and does not replace) the Privacy Act in relation to the handling of biometric information. It is not intended to create an entirely new privacy regime but to provide clearer and more specific rules for a category of information that carries higher risk. The Privacy Act establishes general principles for handling personal information, while the Code introduces specific rules tailored to biometric information. This means that businesses must comply with both the obligations of the Privacy Act and the additional requirements contained in the Code.
Next steps
As stated above:
- The Code is now in force for biometric processing that begins on or after 3 November 2025.
- For biometric processing already in use on or before 3 November 2025, businesses have until 3 August 2026 to comply before enforcement begins.
Also as stated above, non-compliance could have serious legal consequences for businesses, but there is also a risk of reputational damage if systems and processes relating to biometric information fall short. Businesses collecting, using, storing, handling, processing or disclosing biometric information must assess their current systems and make any necessary changes to comply with the Code and maintain the trust of their customers.
Practical compliance checklist for businesses
To prepare for the Code, businesses should:
- Review all current and planned biometric uses – identify where biometric information is collected or processed.
- Apply the proportionality test – confirm the processing is lawful, necessary, effective, and proportionate to privacy risks, weighing benefits against impacts (including cultural impacts on Māori).
- Update privacy notices and policies – ensure they cover all required information, including alternatives, retention periods, and complaint processes.
- Strengthen safeguards – adopt consent/opt-outs where appropriate, enhance security, and minimise retention.
- Plan for enforcement dates – ensure all new projects involving the collection of biometric information already comply with the Code, and update existing systems involving the collection of biometric information before August 2026.
(1) Biometric Processing Privacy Code 2025
(2) Privacy Act 2020, s 32
(3) Human Rights Act 1993, s 21
(4) Health Information Privacy Code 2020, clause 4(1).
Our advice:
To know more, please contact Lexing New-Zeland: https://lexing.network/pays/new-zealand/